Auth*: Dispelling the Myths

Transcript

1. AUTH* DISPELLING THE MYTHS @enygma - SkiPHP 2013 1 Saturday,

   January 18, 2014

2. 2 Saturday, January 18, 2014

3. AUTHENTICATION 3 Saturday, January 18, 2014

4. ...the act of confirming the truth of an attribute of

   a datum or entity [and] often involves verifying the validity of at least one form of identification. AUTHENTICATION source: wikipedia 4 Saturday, January 18, 2014

5. Confirming identity A satisfactory “yes” or “no” Impossible...in theory What

   about anonymous? no, not *that* Anonymous... AND... 5 Saturday, January 18, 2014

6. TYPES Username/password Two-factor OpenID Connect Biometrics Security Question 6 Saturday,

   January 18, 2014

7. AUTHORIZATION 7 Saturday, January 18, 2014

8. ...is the function of specifying access rights to resources, which

   is related to information security and computer security in general and access control in particular. AUTHORIZATION source: wikipedia 8 Saturday, January 18, 2014

9. Principle of Least Privilege Coarse vs fine-grained Think “rule” not

   “role” AND... 9 Saturday, January 18, 2014

10. TYPES Access control lists (ACL) Role-based access control (RBAC) Attribute-based

    control Policy enforcement Discretionary controls Mandatory controls 10 Saturday, January 18, 2014

11. MYTH #1 Multi-factor will keep us safe 11 Saturday, January

    18, 2014

12. SILVER BULLETS Not a “cure all” Yet another hoop Different

    implementations Hardware versus Software 12 Saturday, January 18, 2014

13. IT’S GOOD AT... Being a backup method, not a replacement

    Increasing confidence in users Helps with compliance 13 Saturday, January 18, 2014

14. IT’S NOT GOOD AT... Being the only method Preventing out-of-band

    attacks Stopping other attacks (ex. SQLi on login) Preventing provider (IdP) issues 14 Saturday, January 18, 2014

15. MYTH #2 It’s just a password, right? 15 Saturday, January

    18, 2014

16. PASSWORD BALL & CHAIN Ancient origins Just feels ancient today

    New app? Use a password? Password policies 16 Saturday, January 18, 2014

17. WHY PASSWORDS SUCK Shared across services Restrictive policies Too much

    work on “getting it right” Users are no good at them Cracking hardware is cheap 17 Saturday, January 18, 2014

18. 18 Saturday, January 18, 2014

19. PASSWORD CRACKING Offline attack Dictionary/guessing Brute force Key casting Cloud

    services ....and password policies 19 Saturday, January 18, 2014

20. 20 Saturday, January 18, 2014

21. 21 Saturday, January 18, 2014

22. PASSWORD POLICIES Number/Lower/Upper/Special Reduce repeated characters Length > Complexity Use

    slow algorithm Salt and hash (at the least) 22 Saturday, January 18, 2014

23. source: xkcd.com/936 23 Saturday, January 18, 2014

24. MYTH #3 Internal vs Cloud - Epic Battle 24 Saturday,

    January 18, 2014

25. 25 Saturday, January 18, 2014

26. 26 Saturday, January 18, 2014

27. INTERNAL More control More traditional options Easier to customize Hardware

    costs/infrastructure Too many tools Less stringent on encryption 27 Saturday, January 18, 2014

28. EXTERNAL Standardized auth methods Agility & flexibility Cost savings High

    encryption/protection Less “control” Limited to provider options 28 Saturday, January 18, 2014

29. CONNECTING SAML (Markup) “Vaulted” POST request Multi-factor integration Federated identity

    Custom API 29 Saturday, January 18, 2014

30. CRITERIA Easy integration Scalability Provisioning integration User authentication methods Monitoring

    & management 30 Saturday, January 18, 2014

31. MYTH #4 The Auth that Wasn’t 31 Saturday, January 18,

    2014

32. OWASP Top 10 A2: Broken Auth/Session Management A4: Insecure Object

    References A6: Sensitive Data Exposure http://bit.ly/owasptop10-2013 32 Saturday, January 18, 2014

33. Bad Practices Sending plain-text passwords Sensitive data in the URL

    Informative error messages No throttling on resets or registrations or password failures 33 Saturday, January 18, 2014

34. DON’T... Obscurity !== Security Share logins Use default credentials Plain-text

    34 Saturday, January 18, 2014

35. MYTH #5 But we have... 35 Saturday, January 18, 2014

36. Integrated systems Firewalls WAF Encryption HARDWARE & SOFTWARE 36 Saturday,

    January 18, 2014

37. HAVING USING and are not the same 37 Saturday, January

    18, 2014

38. FIXING AUTH Planning for Security 38 Saturday, January 18, 2014

39. Defense in Depth Logging & auditing Fail securely Least privilege

    PRINCIPLES 39 Saturday, January 18, 2014

40. Audit of current components Gather usage data Plan, plan then

    plan some more Easier in hindsight REALIGNMENT 40 Saturday, January 18, 2014

41. Think “Subject” not “User” Narrowing the options Pick the right

    fit, not the shiny one Plan for delegation LOOK AHEAD 41 Saturday, January 18, 2014

42. More than one level? What to protect? Is it the

    same everywhere? Policies/procedures Reduce the overhead IN DEPTH 42 Saturday, January 18, 2014

43. IDENTITY IS HARD 43 Saturday, January 18, 2014

44. Questions or comments? @enygma https://joind.in/10438 THANKS 44 Saturday, January 18,

    2014